gtk3-nocsd preloads a setuid library
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gtk3-nocsd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
snapd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Problem was originally reported int he snapcraft forum regarding snap-confine failing to launch snaps on Kubuntu:
https:/
The following AppArmor denial triggered by snap-confined was observed in the logs:
Dec 17 22:45:10 raffles audit[27067]: AVC apparmor=“DENIED” operation=
Upon further investigation, the behavior was identified as correct as far as snap-confine's AppArmor profile is concerned. The problem appears to be caused by the libgtk3-nocsd0 package, which ships a setuid library:
guest@ubuntu:
-rwSr--r-- 1 root root 26616 Mar 3 2018 /usr/lib/
and sets it up to be preloaded on non-GNOME desktops via Xsession.d hooks. Since snap-confine is a setuid binary, and the library in question is setuid as well, ld.so will attempt to load it.
The package also ships with a couple of lintian overrides:
libgtk3-nocsd0: setuid-binary usr/lib/
libgtk3-nocsd0: non-standard-
libgtk3-nocsd0: shlib-with-
Library version:
ii gtk3-nocsd 3-1ubuntu1 all Disable Gtk+ 3 client side decorations (CSD)
ii libgtk3-
Changed in snapd (Ubuntu): | |
status: | New → Confirmed |
Status changed to 'Confirmed' because the bug affects multiple users.